Privacy, Security and GDPR for the Personal Genomics Industry

As platinum sponsor, the Living DNA Team really enjoyed their time at the Genealogy Jamboree event earlier this month. During the event, co-founders David Nicholson and Hannah Morden-Nicholson hosted a Data Privacy discussion which was attended by a number of genealogists including Kitty Cooper, Thomas MacEntee, Emily Aulicino, Diahan Southard, Shannon Christmas and Blaine Bettinger.

Based on recent GDPR compliance laws, the main focus of the evening was on how GDPR could affect the family history market. In simple terms, GDPR is something that we feel should be standard practice for any organization. It makes clear what information a company is storing about an individual, why they are storing this information and provides simple ways for individuals to request for their information to be removed. The problem for family history is that many people add information about living people to online systems without asking their consent, say you add the name of your mum or sibling to an online family tree - under the legislation they would need to consent to this.

So, what could genetic ancestry companies do right away to be compliant?

Thomas McEntee suggested ‘editing the terms of service is the easiest path to GDPR compliance’. Kitty Cooper raised that ‘an alternative way to accomplish new standards of security would be to use a secure third-party service. This could be as simple as ensuring that if you add information about a certain person that they are notified of this to consent to it being on the system..’

Emily Aulicino spoke about the impact on the United States, posing the consideration that, ‘There probably won’t be a huge reaction right away from the United States but all it takes is one person to test for something that they didn’t know they had or didn’t wanted tested.’ David responded echoed this saying ‘GDPR is not designed to hold back industries, it’s designed to increase responsibility..’

When it comes to genetic data the group came to a consensos over the following key points;

Every person whose DNA is tested must be aware of what is happening with their data.

If as a family genealogist you have access to family members DNA then as custodian of this data (under GDPR known as a data processor) its important to ensure you have permission to use the DNA and must only upload the DNA when permission is provided.

An individual should prepare for what happens when they pass, who should have custody of their DNA and start that process today.

Hannah ended the discussion with "GDPR is about companies actively working towards increased privacy measures whilst putting clients in control of their own data, something Living DNA is founded on."

The discussion finished with everyone looking 10 years ahead, at this point the group thought that;

GDPR would be widespread across not only Europe but the United States and other countries.

Our entire view of handling other people's information (records, DNA, and basic information) would change to be one of care and respect.

By never selling your data to third parties Living DNA allow you to be in control of your data every step of the way.